Copy Fail and Dirty Frag: Linux Page-Cache Exploits Target Every Major Distribution

2026-05-12 · Source: InfoQ · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering, Artificial Intelligence & Machine Learning · Depth: Advanced, medium

Summary

Two new Linux kernel local privilege escalation vulnerabilities, "Copy Fail" (CVE-2026-31431) and "Dirty Frag" (CVE-2026-43284, CVE-2026-43500), were publicly disclosed in May 2026. Both allow an unprivileged local user to gain root access on affected distributions by exploiting logic flaws in the page cache, similar to the 2022 Dirty Pipe vulnerability. Copy Fail, discovered by Theori using their AI-powered tool Xint Code, is a logic flaw in the `algif_aead` kernel module, introduced in 2017. Dirty Frag, disclosed by Hyunwoo Kim, chains two vulnerabilities affecting the `esp4`, `esp6`, and `rxrpc` modules, covering a wider range of configurations. Both exploits are deterministic, do not rely on race conditions, and affect kernels dating back to 2017 or 2023, impacting major distributions like Ubuntu, RHEL, and SUSE.

Key takeaway

For CTOs and VPs of Engineering managing Linux infrastructure, immediately prioritize applying kernel updates to address Copy Fail and Dirty Frag. Your shared-kernel multi-tenant environments, including Kubernetes clusters and CI/CD runners, are particularly exposed. Consider implementing microVM runtimes like Firecracker or user-space kernels such as gVisor for workloads executing untrusted code to enhance isolation beyond standard Linux namespaces.

Key insights

New Linux kernel page-cache vulnerabilities enable unprivileged local users to gain root access across major distributions.

Principles

• Page-cache write flaws are a recurring exploit class.
• AI tools can significantly lower the cost of finding kernel logic flaws.

Method

Copy Fail exploits a logic flaw in `algif_aead` to write into the page cache of unowned files. Dirty Frag chains xfrm-ESP and RxRPC page-cache writes to achieve broader coverage.

In practice

• Update kernels to patch `algif_aead`, `esp4`, `esp6`, and `rxrpc` modules.
• Blacklist affected kernel modules as an interim mitigation.
• Use microVMs or user-space kernels for untrusted code execution.

Topics

• Linux Kernel Vulnerabilities
• Local Privilege Escalation
• Page Cache Exploits
• Copy Fail (CVE-2026-31431)
• Dirty Frag (CVE-2026-43284, CVE-2026-43500)

Code references

• V4bel/dirtyfrag

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, Security Engineer, MLOps Engineer

Related on AIssential

• Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years — A deterministic Linux kernel logic flaw enables reliable local privilege escalation via page cache corruption.
• Dirty Frag is a new Linux bug putting your system at risk - and there's no easy fix yet — Dirty Frag is a critical Linux kernel vulnerability enabling local privilege escalation via networking and authentication stack exploits.
• From 732 bytes to nowhere: shutting down Copy Fail in production — Linux kernel page cache vulnerabilities like Copy Fail amplify local exploits into cross-tenant risks in shared AI platforms.
• The third major Linux kernel flaw in two weeks has been found - thanks to AI — AI-driven tools are accelerating the discovery of critical open-source security vulnerabilities like Fragnesia.
• US government warns of severe CopyFail bug affecting major versions of Linux — The CopyFail vulnerability (CVE-2026-31431) grants root access on Linux systems by corrupting kernel data.
• This critical Linux vulnerability is putting millions of systems at risk - how to protect yours — Copy Fail (CVE-2026-31431) is a critical, stable Linux kernel vulnerability enabling easy root access.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by InfoQ.